ARN

Q&A: FireEye threat analyst, Steve Miller, discusses cyberwar and the future of criminal malware

Former NSA man talks exclusively on nation-state actors attacking Australia, criminal gangs, and keeping ahead of Zero Days
Steve Miller, threat analyst at FireEye

Steve Miller, threat analyst at FireEye

From the NSA to the private sector, FireEye’s Steve Miller has seen almost every type of modern cyberattack hitting the world’s networks and internal systems. In Sydney to hire staff for the launch of FireEye’s latest Australian Security Operations Centre (SOC), Miller took the time to chat to ARN about the modern threat landscape, the risks to Australian businesses and government from determined nation-state actors, cybercriminals and economic rivals. The age of cyberwar is definitely upon us.

Tell us a bit about how you ended up working in the private sector with Mandiant/FireEye, given your military and intelligence background?

I got my career kicked off working at the NSA between 2002-2007. Before that I was in the US army working in the signal corp. Components of the intelligence and security command within the US Army is subcontracted to work at the NSA, as an agency resource.

I worked at the agency, and lived and worked at Fort Meade, and did quite a few things which I naturally can’t go into detail about. I worked in global signals and network analysis, and most of my focus was on supporting the various US wars going on at the time, especially the response to the tragedies of 9/11.

I left the agency in 2007 to go back to school. I ended up working at Cornell University studying computer science, which led into security and computer forensics. I started doing some project work with the Department of Homeland Security and the Department of State. My whole focus at that point was forensics to work in law enforcement, such as focused forensics for investigations and civil litigation, and any sort of criminal investigations as well.

In 2013, just as I had accepted a role for the FBI in Puerto Rico, the US government was going through the (2013) sequester. They delayed the starts for new hires, especially at the Federal Government level. I took the opportunity to go to Mandiant, and I moved to Redwood City in California to start the first SOC (security operations centre) for Mandiant, a 24/7 service. From there Mandiant and FireEye merged and I have since been rolling out our offering globally.

It sounds like you fulfill a lot of roles, what technically is your job title?

Historically my role has always been technical analysis, but I’m shifting into a new area which is building and expanding and enabling our global offices locations. I don’t have an official title, I call myself the operations lead, for all operations in Asia-Pacific. We’re building the Sydney one as we speak, we don’t officially launch the new SOC until March 4th.

So you will running the operations out of Sydney?

Hopefully. I’m going to be living here. The reason I’m out here at the moment is to hire everybody. I’ve just hired a SOC manager, I’ve hired all the analysts, and I’m getting these operations centres integrated, up and running to ‘follow the sun’ – our service delivery model.

So why is FireEye placing such a big emphasis on APAC?

We’ve wanted to build our presence here for a long time, long before we came together with FireEye. We were already laying the groundwork in Singapore before the merger. We had a pretty strong relationship with Singtel/Optus across the region, so we also wanted to support that.

Australia is a particularly hot spot right now. By that I mean that several companies and organisations have been impacted by targeted threat actors. That’s what we’re famous for.

We’ve seen huge breaches in Singaporean government, energy and utilities industries especially.

It’s the same in Australia. The natural resources industries in A/NZ have been impacted by breach and threat actor activity. Australia has a lot of internationally renowned avionics companies, shipbuilders, and lots of defense-industrial technology companies that are very juicy targets for those who want to steal intellectual property.

So who are we talking about here – nation-state actors or criminal gangs?

We’re definitely talking about nation-state actors. Australia’s a little bit behind the curve down here in terms of awareness, in terms of detection, and in terms of response. I think that its about where we were in the USA two years ago. We’re still spinning up to our knowledge of what’s going on.

Have you been in discussions with the government concerning Australia’s lax security laws, including no mandatory disclosure laws for security breaches?

If we are I can’t really speak to that.

What are some of the key attack vectors in the modern market, and how are they changing?

Attacks don’t actually have to be that sophisticated in order to succeed. Spear-phishing will always get in, one way or another. But yes, the threat actors have changed a little bit. They’ve got a bit better at writing these spear phishing attacks.

You mean their English has gotten better?

Yes, their English gets better, their infrastructure changes – so its always more about their methodology.The social engineering aspect is vital – so we’re seeing more use of social media. Such as friending someone on Facebook. Or with Linkedin, sending a resume to the HR team of something that you’re trying to compromise – that CV contains an exploit, for example.

Threat actors are now using more ‘Zero-Days’ more than ever before. These aren’t just things that they identify for themselves, but that they can buy them on the black market. Typically, all large governments, have defense contractors who sell zero days as a commodity, or a service. Resource threat actors out there will buy them, and they will selectively use them to compromise their targets.

How can you stop Zero Day breaches? Isn’t that impossible?

There are infinite amounts of them. You can’t. Every time anyone creates a new software update, there’s new code, there are new methods, and we find them all the time. Last year, FireEye found 15 of the 16 total discovered last year, I believe.

We’re talking about Windows, Internet Explorer, Java, Adobe Reader, Microsoft Word, basically a lot of the things that enable us to do what we do in everyday life in business – the stuff that we can’t do without. These are platforms that are typically so big, its difficult for anybody to identify all these vulnerabilities and patch them.

What’s a good example of a Zero Day your team has worked on?

A big campaign we did for Firefox was called ‘Clandestine Fox’ in 2014, which came out of my business unit – managed defense. I was there that night, it was very exciting.

So in one customer environment (Internet Explorer), we pulled a simple data thread and said ‘well this looks interesting ’. We worked with our intelligence teams and our reverse engineering laboratories to identify what was happening, it was an exploit. So we approached Microsoft, and they confirmed that it had never been seen before, and was an unknown exploit. So right away they confirmed that this was a Zero Day. We worked closely with them, before we announced it publicly, to see if they could patch it. This vulnerability affected Internet Explorer versions 6 through 11 – which was on approximately 80 per cent of machines worldwide.

We knew it was huge. Microsoft had previously said they wouldn’t patch anything on Windows XP beyond its support expiry date – but because it was so profoundly impactful, they patched it anyway. So personally I felt like we’d done something really cool, and performed a global service.

Haven’t you just thrown away your competitive advantage in the marketplace by sharing this information?

Look, it’s a public good. We see a lot of social value in that, for our company. It’s good press – hearts and minds.

So how do Australian businesses tackle these kinds of high end threats?

Too many people have local admin privileges, and the attackers are really just using pretty rudimentary tools to harvest those credentials off those machines. They then use those credentials to get further into company networks and machines.

In terms of things that are extremely high tech, we see some very stealthy malware, such as tunnelers and other utilities, but the method of getting those high tech tools into the environment tends to be about the same. It’s the human element.

For example, attackers will usually find some method of uploading a webshell onto their victim’s Web server, so now they can interact with it as a vector. Then if companies don’t do simple input validation, of files or permissions on that webserver , then youre in pretty bad shape once the attackers get in there.

Once they’re inside the attackers can do really amazing things, using one’s own tools. We’ve even seen attackers decrypt VPN seeds for two factor authentication. We’ve seen these attackers develop Android malware for specific users, then phish them, so they can intercept their two factor authentication SMS texts. They can then log in like they are that person.

On their own, a lot of these methods aren’t that profound. But to have a threat group that can combine all of them, and move really quickly – say, within three hours go from the first backdoor breach to stealing 50gb of research data. That shows to me a very brazen, and a very sophisticated attacker.

They can be very comprehensive as well – they often come from a lot of different angles simultaneously.

So how on earth do you protect your company data if you only have three hours to react?

That’s the biggest challenge for everyone. What I would describe as a rudimentary axiom of security is to at least organise your business to give most people the least privilieged access. Give them no more than what they absolutely need access to. We often find accounts at low levels in a company that have access across the entire business. That’s because IT has traditionally always been seen as enabler of business, and businesses don’t want to hinder that. But the fact is that these actors take advantage of that.

The other fact is to make sure you identify them early on. Yes, perimeter defense is a very much a part of the equation – but do you have the visibility of what the threat actors do once they’re inside?

What we do at FireEye is assume that they’re going to get inside, and detect them when they’re inside. Because we know everything about how they work. We know they move laterally. We know what tools they use, what commands they run. We perform that internal reconnaissance.

We can’t stop them getting in. They’re always going to be howling at the gates, and dodging the perimeter somehow. But once they’re inside, we can at least stop them from completing their mission.

For example, if they’re staging up data to steal it later, we wait a little bit and see everywhere that they have access to, all their accounts all their C2 domains, and then we cut them off all at once. We’ve already figured out how they got in, we use that time to fix the webserver, change all the two factor authetnication accounts and so on – then cut them off cold.

So its more damage control than actual defense?

Its not just threat actors looking to steal IP, datasets, customer data and credit cards, but also healthcare data, social security numbers the lot. But much more importantly, they may just want access to your environment to get access to somewhere else, utilising the trusted relationships between businesses and partner organisations.

They’re daisychaining through various businesses to reach a larger target?

Yes, we see that with organisations such as universities all the time. Universities are typically large, unsecured environments, there’s a lot of change going on, a lot of students downloading stuff, and they’re all connected to networks. Those networks often have trusted relationships with governments organisations and businesses that provide services to governments. It’s very much a stepping stone system.

That’s another problem for us. It’s not always easy to see what the final goals of the threat actors are. That’s why you look to a company that does a lot of threat intel, and knows a lot about the various attack groups to give you that context and history.

It sounds like you’re profiling, or producing an M.O., similar to law enforcement agencies in the physical world?

Yeah, we can get close to these ‘people’ and can spot the patterns. We can say ‘Hey, I know this group, we’ve seen them before – they like to do X’. You get to know them, you get to see their handiwork – it can become very much a cat and mouse game.

This sounds literally like a cyberwar – battle tactics and all…

I try to think about threat actors like us. What if they’re like our business unit, except they’re dedicated to phishing, devoted to maintaining backdoor access, or doing target scoping. Maybe there are team members that are devoted to stealing or identifying the data and pulling it out. Maybe they have quarterly incentive bonuses? If you start to think about threat actors like a ‘legitimate’ enterprise, you realise just how effective they can be at dividing and conquering.

So how does FireEye go about keeping ahead of such sophisticated threat actors? Especially if they’re state sponsored?

We tend to hire people that are hungry for knowledge. They are passionate about their work, and that turns them into an ever evolving security expert. We know the threat actors are changing all the time, and as long as we’re hungry to take the fight to them, we can apply what we learn in the future - if only by osmosis.

We’ve got the worlds leaders working here. We have a pretty flat organisation. The newest analyst can go talk to the man who wrote the authoritative textbook on malware analysis. We make it easy for those people to connect. It’s a halo effect.

Attracting talent, based on proximity to cool work and world leaders in the field, is one of the ways that we not only get world-leading talent, but cultivate it and create the geniuses and leaders of the future.